wbk/wireguard-install
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Adding waiting (-w) in iptables for wg-iptables service

Browse source 
At one point I overloaded the server and Wireguard was not working on it. I began to understand and found out that the `wg-iptables` service did not start. The logs were:

```
May 19 17:50:27 server.domain iptables[714]: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
May 19 17:50:27 server.domain systemd[1]: wg-iptables.service: Main process exited, code=exited, status=4/NOPERMISSION
May 19 17:50:27 server.domain systemd[1]: wg-iptables.service: Failed with result 'exit-code'.
May 19 17:50:27 server.domain systemd[1]: Failed to start wg-iptables.service.

```

Then I started googling this problem [and found out](https://lists.zx2c4.com/pipermail/wireguard/2019-October/004592.html) that the problem is that your startup commands do not specify to wait in case of blocking. This patch fixes the problem.
This commit is contained in:
Perlover 2023-05-19 18:17:00 +02:00 committed by GitHub
parent 98f45f883c
commit 8efab59dff
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
wireguard-install.sh
View file

@ -440,21 +440,21 @@ EOF
Before=network.target
[Service]
Type=oneshot
ExecStart=$iptables_path -t nat -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip
ExecStart=$iptables_path -I INPUT -p udp --dport $port -j ACCEPT
ExecStart=$iptables_path -I FORWARD -s 10.7.0.0/24 -j ACCEPT
ExecStart=$iptables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=$iptables_path -t nat -D POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip
ExecStop=$iptables_path -D INPUT -p udp --dport $port -j ACCEPT
ExecStop=$iptables_path -D FORWARD -s 10.7.0.0/24 -j ACCEPT
ExecStop=$iptables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/wg-iptables.service
ExecStart=$iptables_path -w -t nat -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip
ExecStart=$iptables_path -w -I INPUT -p udp --dport $port -j ACCEPT
ExecStart=$iptables_path -w -I FORWARD -s 10.7.0.0/24 -j ACCEPT
ExecStart=$iptables_path -w -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=$iptables_path -w -t nat -D POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip
ExecStop=$iptables_path -w -D INPUT -p udp --dport $port -j ACCEPT
ExecStop=$iptables_path -w -D FORWARD -s 10.7.0.0/24 -j ACCEPT
ExecStop=$iptables_path -w -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/wg-iptables.service
if [[ -n "$ip6" ]]; then
echo "ExecStart=$ip6tables_path -t nat -A POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6
ExecStart=$ip6tables_path -I FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT
ExecStart=$ip6tables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=$ip6tables_path -t nat -D POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6
ExecStop=$ip6tables_path -D FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT
ExecStop=$ip6tables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/systemd/system/wg-iptables.service
ExecStart=$ip6tables_path -w -I FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT
ExecStart=$ip6tables_path -w -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=$ip6tables_path -w -t nat -D POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6
ExecStop=$ip6tables_path -w -D FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT
ExecStop=$ip6tables_path -w -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/systemd/system/wg-iptables.service
fi
echo "RemainAfterExit=yes
[Install]